Thwart Insider Abuse

It hasn't been getting a lot of media attention lately, but the threat to corporate security and intellectual property from insiders remains one of the biggest challenges facing IT departments today.
According to the most recent survey by the American Society for Industrial Security in Alexandria, Va., current and former employees and on-site contractors with authorized access to facilities and networks continue to pose the most significant risk to intellectual property such as research data, customer files and financial information.

What follows is a list of the best tips—from a variety of IT security professionals—on how to detect and prevent insider abuse of computer and network resources. Experts say that all security programs should focus on people, process and technology, so we've broken the list into those three categories.

People

Require new hires to go through a security orientation. Have employees review and sign a policy concerning the acceptable use of company IT resources. In addition, an orientation program should include a review of the threats; a specific list of do's and don'ts to protect corporate information, passwords and physical security; and what to do (and whom to contact) if an employee discovers a security violation.

Don't overlook the sensitive data on common office peripherals, such as copiers and printers. When these products are used, the memory of that use remains in the machine, sometimes for years. There are products available to address this issue, such as "digital shredder" software, which erases data from the machine after each use.

Establish a corporate "neighborhood watch" program. Set up a reporting structure that is able to detect irregularities and prevent social engineering.

Check the backgrounds of all employees who handle sensitive data.

Make sure the passwords for systems administrators have the strongest level of authentication and are given to the smallest potential audience.

Require systems administrators to take two consecutive weeks of vacation annually—similar to the vacation requirements for senior bank managers—so that fraudulent activities or other improprieties can surface while they're gone.

Develop a policy-setting "security council" that has an executive sponsor from each major department, such as human resources, finance, IT and marketing.

Integrate IT procedures and HR procedures so that system access is tied to employee (and consultant) hiring and departures.

Process

Establish a reliable system for assigning access to company data. Make sure the system can disable such access immediately if a major layoff occurs.

Determine, based on job function, seniority and other roles, who needs to have access to which company resources and why.

Require employees to sign a nondisclosure contract on their date of hire so they know what type of information is considered proprietary and what the consequences will be if they share it without authorization.

Keep an inventory of your IT assets. Know the type and version of every operating system and application you use, as well as the number of computers and networking devices you have and all of the firewall types and rules.

Conduct security audits on all systems every 24 hours to ensure that the systems are secured and haven't regressed or been rendered vulnerable.

Make the ability to support your company's information access policy one of the criteria for buying new software or systems.

Evaluate the security of your business partners and vendors.

Technology

Identify dormant IDs or orphaned accounts. Install or create a system for actively checking for and deleting out-of-date IDs and accounts as well as inactive users.

Have an automated system for resetting passwords on a regular basis.

Make sure that the accounts belonging to laid-off employees aren't simply deleted. Instead, incorporate a suspend feature in your provisioning process that prevents outside access but enables the IT department to search for key data in the account.

Convert physical access-control devices from electronic systems to network-enabled devices so that physical access events can be correlated with network events and file-access attempts. For example, integrate your building-access card reader with your IT network so that an event like a person entering a building late at night can be correlated with any cybersecurity violations that take place around the same time.

Collect historical data for individual employees regarding network activity and file-access attempts and then employ a formula to calculate a risk factor for each event. Rank the risk factors and sort by employee to identify the riskiest employees or those who need remedial security training.